'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.

+

== File types ==

+

Some variants of the RAW Image Format split the data among multiple segment files, which is also known as split RAW.

−

There are both open source and proprietary network forensics systems available.

+

There are various naming schemes for RAW Image Format files, some of the more common used for disk or volume images are:

Note that there are also RAW Image Formats specific to the storage media, e.g. RAW optical disc image.

−

PLEASE DO NOT ADD ENTRIES THAT DO NOT HAVE AN ARTICLE.

+

These often are accompanied by a table of contents file often in the [[CUE Sheet format]], e.g.

+

* BIN/CUE

+

* ISO/CUE

−

Please keep these in alphabetical order.

+

== Contents ==

+

The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.

−

When updating any table, please update all tables as appropriate.

+

There is no [[metadata]] stored in RAW Image Format files. However sometimes the metadata is stored in additional files.

−

-->

+

The RAW Image Format was original used by [[dd]], but is supported by most of the computer forensics applications.

−

{| class="wikitable sortable" style="width: auto; font-size: smaller"

+

== See Also ==

−

|-

+

* [[Disk Images]]

−

! System

+

−

! [[software license|License]]

+

−

! User Interface

+

−

! Supported Platform

+

−

! Supported Protocols

+

−

! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->

! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->

+

−

|}

+

−

+

−

== Tips and Tricks ==

+

−

+

−

* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

+

−

+

−

== See also ==

+

−

* [[Wireless forensics]]

+

−

* [[SSL forensics]]

+

−

+

−

* [[IP geolocation]]

+

−

* [[Tools:Network Forensics]]

+

−

* [[Tools:Logfile Analysis]]

+

−

+

−

== External links ==

+

−

* [http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/ Default Time To Live (TTL) values]

+

== Tools ==

== Tools ==

−

=== Open Source Network Forensics ===

+

* [[Dd|dd]]

−

* [[Argus]]

+

* [[dc3dd]]

−

* [[Bulk Extractor]] [https://github.com/simsong/bulk_extractor]

+

* [[dcfldd]]

−

* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)

+

* [[dd_rescue]]

−

* [[DataEcho]]

+

* [[ddrescue]]

−

* [[FlowGREP]] is a basic IDS/IPS tool written in python [http://www.monkey.org/~jose/software/flowgrep/]

* [[logstash]] is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs. [http://logstash.net/]

+

−

+

−

* [[log2Timeline]] a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts. [https://code.google.com/p/log2timeline/]

+

−

* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]

+

−

* [http://www.netgrab.co.uk NetSleuth] is a live and retrospective network analysis and triage tool.

+

−

* [[ntop]]

+

−

* [[NetGREP]] is a command line tool which tells you which lines in a text file contain network resources related to a particular country or Autonomous Network (AS) [https://pypi.python.org/pypi/netgrep/]

+

−

* [[NetworkMiner]] is [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner an open source Network Forensics Tool available at SourceForge]

+

−

* [[OSSEC]]

+

−

* [[Plaso]] (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines [http://plaso.kiddaland.net/]

+

−

+

−

* [[RegRipper]] is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis [http://regripper.wordpress.com/]